Deployment Architecture

Splunk Deployment server not downward compatible?

krusty
Contributor

Hi there,
just for a background. We use an existing Splunk setup since a couple of years. The old Splunk single host (indexer, search head, deployment server, etc) is version 6.2.0. We also have a lot of Windows servers with installed Universal Forwarders (Version 6.2.0).

Now we setup a new environment as a Splunk indexer cluster with a dedicated Search Head / Deployment Server. The basic system is up and running and the forwarders (6.2.0 / 7.0.0) are sending their events to the cluster. But the forwarders are not listed on the Forwarder Management Webpage.
Do we have to upgrade the old Forwarders to get the communication working between 6.2.0 forwarder and 7.0.0 Deployment server?
The deploymentclient.conf on the old forwarder (6.2.0) was updated to the new deployment server and the service (splunkd) was restarted after the configuration change.
In the documentation I couldn't find any information that it isn't supported to use older versions of forwarders with a newer/later version of Deployment Server.

If somebody have had the same problem and was able to fix it, any information are welcome.

Regards

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi krusty,
at first, it isn't a best practice to have Deployment Server and Search Head on the same server: if you have more than 50 Forwarders to manage you have to use a dedicated Deployment Server.

To have Forwarders 6.2.x isn't a problem (I have Forwarders 6.1.5 in one of my projects with no problems).
But, you're sure that all the forwarders address the new Deployment Server? maybe some of them still have as Deployment Server the old one!

Bye.
Giuseppe

0 Karma

krusty
Contributor

Hi Giuseppe,

thanks for you answer.
You are absolutly right. It is not recommended to use Search Head and Deployment Server on the same server. But for my test it should be okay.

Unfortunately I cannot see any 6.2.0 forwarders under the deployment server (forwarder management). I only see there the forwarders which has installed the 7.0.0 version.

On the old (6.2.0) forwarders I found such messages into the splunkd.log
"INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected"

I don't know why it tells me "not_connected".

0 Karma

gcusello
SplunkTrust
SplunkTrust

Only a quick answer: have you still active the old Splunk server? do you continue to see on it the old Forwarders?

At first, check if your 6.2.0 forwarders have the correct deploymentclient.conf and if they can reach the new Deployment Server on 8089 port.

Then try to upgrade one of them and verify if you see the new one on the new Deployment Server.

For my experience version isn't a problem!

Bye.
Giuseppe

0 Karma

krusty
Contributor

Yes, the old 6.2.0 Deployment Server is still up and running. Could this be the issue? I will upgrade one Forwarder to see what happens then. I will let you know.

0 Karma

gcusello
SplunkTrust
SplunkTrust

If you continue to see the 6.2.0 Forwarders on the old DS, this means that in your Forwarders is still configured the old one.

Bye.
Giuseppe

0 Karma

krusty
Contributor

On the old DS I see the entries from the 6.2.0 Forwarders, but the "Phone Home" field is "4 days ago". Thats the time when I changed the deployment server configuration in the deploymentclient.conf on the Forwarders.

But I will try to upgrade now one of the 6.2.0 Forwarders to the 7.0.0 version and will see what happens then.

[edit]
I did an upgrade from 6.2.0 to 7.0.0 on one of the Forwarders who wont communicate with the DS. Since the version was changed the Forwarder communicates with the DS and I'm able to deploy an custom app.

So it looks like the communication between 6.2.0 Forwarders and 7.0.0 DS is not possible/supported.

0 Karma

gcusello
SplunkTrust
SplunkTrust

I don't know on 6.2.0, I'm using 6.1.5 and it runs.
eventually try to run on the 6.2.0. forwarders the CLI command

/opt/splunk/bin/splunk set deploy-poll xx.xx.xx.xx:8089

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...